Governor Brown has just signed the California Consumer Privacy Act of 2018. The new law, which has numerous similarities with the EU General Data Protection Regulation (GDPR), will take effect onJan. 1, 2020. The law was passed on an expedited schedule to block a similar initiative that had garnered enough signatures to qualify for the ballot. While the two measures have similar terms, it will be much easier for the California Legislature to amend the statutory measure than its initiative counterpart. It is expected that legislation proposing changes to the new law will be introduced early next year as part of the next two-year legislative session.

The law expands the definition of “personal information” to include a broad list of personal and commercial characteristics and behaviors, as well as inferences drawn from this information. It also provides California consumers with the ability to obtain information about the sharing and disclosure of their personal information and to prohibit such sharing or disclosure. The law affects a broad range of entities doing business in California, creating obstacles to their marketing and monetization efforts.

To Whom the Law Applies

The law applies to “businesses.” The term is defined as a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that collects consumers’ personal information, or on the behalf of which personal information is collected, that (i) alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, (ii) does business in the state of California, and (iii) satisfies one or more of the following thresholds:

Has annual gross revenues in excess of $25,000,000;

Alone or in combination, annually buys, receives, sells, or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices; or

Derives 50 percent or more of its annual revenues from selling consumers’ personal information.”

Personal Information Protected

The definition of what constitutes “personal information” for the purposes of the law is consistent with the definition of personal data found in the GDPR. In the California Privacy Act, “personal information” is defined as information that identifies or relates to a consumer or household. The term information specifically includes, but is not limited to:

Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer.

Highlights of the Law

The law is intended to give consumers more control over their personal information, means to access the records kept by the business, and the ability to have it deleted. It grants consumers a right of portability and a right of erasure that is similar to those provided under the GDPR. It gives consumers the right to stop the disclosure or sharing of their personal information with third parties.

Highlights of the law include:

Businesses will be required to disclose what data is collected and the purposes for which it is used, including whether the information is sold to third parties, the categories of information that is shared with or sold to third parties, and the categories of third parties.

A consumer will have the right to request that a business disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of third parties with which the consumer’s information is shared or to whom it is disclosed. The consumer must receive a response within 45 days of making a request and providing appropriate identifying information.

Consumers will have the right to access the information that a business holds about them and the right to request deletion of personal information. The provision has numerous similarities with GDPR Article 17, which provides for a “right to be forgotten or right of erasure.” Businesses will be required to delete the data after verifying the identity of the requestor, with exceptions.

Businesses will be required to inform consumers of their rights regarding their personal information.

Consumers will have the right to request that a business cease sharing or selling their personal information. Websites will have to contain a prominent link on their home page, titled “Do Not Sell My Personal Information,” which consumers can use to opt-out of the sale of their personal information.

Consumers will have the right to equal service and price, even if they exercise their privacy rights. Consumers cannot waive their rights under the law; any waiver will be deemed void.

Businesses will be prohibited from discriminating against a consumer who refuses that their information be shared, such as by charging a fee, except if the difference is reasonably related to value provided by the consumer’s data.

Businesses will be allowed to offer financial incentives for collection of personal information.

Enforcement and Litigation

The law allows for enforcement by the California Attorney General, and provides for a private right of action in cases of certain unauthorized access, theft, or unauthorized disclosure of a consumer’s personal information that has not been encrypted or redacted. It is widely perceived that the law will increase privacy litigation.

The next several months leading into next year’s legislative session are likely to bring much behind the scenes legislative activity related to this new law. We will continue to publish updates on the evolution of the California landscape.